Bird
Raised Fist0
Cybersecurityknowledge~10 mins

Port scanning with Nmap in Cybersecurity - Step-by-Step Execution

Choose your learning style10 modes available
LearnWhyDeepVisualPracticeChallengeProjectRecallTime

Start learning this pattern below

Jump into concepts and practice - no test required

or
Recommended
Test this pattern10 questions across easy, medium, and hard to know if this pattern is strong
Concept Flow - Port scanning with Nmap
Start Nmap Command
Send Probe Packets to Target Ports
Wait for Responses
Analyze Responses
Determine Port Status
Display Scan Results
End
Nmap sends small data packets to target ports, waits for replies, analyzes them to find which ports are open, closed, or filtered, then shows the results.
Execution Sample
Cybersecurity
nmap -sS 192.168.1.1

# Sends TCP SYN packets to scan common ports on the target IP
This command performs a stealthy TCP SYN scan on the target IP to find open ports.
Analysis Table
StepActionPacket SentResponse ReceivedPort Status DeterminedOutput
1Send SYN packet to port 22SYN to port 22SYN-ACK from port 22OpenPort 22 is open
2Send SYN packet to port 80SYN to port 80No responseFilteredPort 80 is filtered
3Send SYN packet to port 443SYN to port 443RST from port 443ClosedPort 443 is closed
4Send SYN packet to port 8080SYN to port 8080SYN-ACK from port 8080OpenPort 8080 is open
5Scan completeNo more packetsNo more responsesScan finishedSummary of open, closed, filtered ports
6ExitN/AN/AN/ANmap scan ends
💡 All target ports scanned; no more packets to send.
State Tracker
VariableStartAfter Step 1After Step 2After Step 3After Step 4Final
Port 22 StatusUnknownOpenOpenOpenOpenOpen
Port 80 StatusUnknownUnknownFilteredFilteredFilteredFiltered
Port 443 StatusUnknownUnknownUnknownClosedClosedClosed
Port 8080 StatusUnknownUnknownUnknownUnknownOpenOpen
Key Insights - 3 Insights
Why does no response from a port indicate it is filtered?
Because in the execution_table row 2, no response means the packet was likely dropped by a firewall, so Nmap reports it as filtered.
What does a SYN-ACK response indicate in the scan?
As shown in rows 1 and 4, a SYN-ACK means the port is open and ready to accept connections.
Why does Nmap send SYN packets instead of full connections?
Nmap uses SYN packets (half-open scan) to avoid completing the TCP handshake, making the scan stealthier, as seen in the execution_sample command.
Visual Quiz - 3 Questions
Test your understanding
Look at the execution_table row 3. What response does port 443 send?
ARST
BSYN-ACK
CNo response
DFIN
💡 Hint
Check the 'Response Received' column in row 3 of the execution_table.
At which step does Nmap determine port 80 is filtered?
AStep 1
BStep 2
CStep 4
DStep 5
💡 Hint
Look at the 'Port Status Determined' column for port 80 in the execution_table.
If port 22 sent a RST instead of SYN-ACK, what would its status be?
AOpen
BFiltered
CClosed
DUnknown
💡 Hint
Refer to the pattern in execution_table row 3 where RST means closed.
Concept Snapshot
Nmap port scanning sends probe packets to target ports.
Responses show if ports are open (SYN-ACK), closed (RST), or filtered (no reply).
Common scan: 'nmap -sS target_ip' uses TCP SYN scan.
Results help find active services on a network.
Useful for security checks and network troubleshooting.
Full Transcript
Port scanning with Nmap works by sending small probe packets to specific ports on a target computer. Nmap waits for replies to see if the ports respond with SYN-ACK (open), RST (closed), or no response (filtered). For example, sending a SYN packet to port 22 and receiving SYN-ACK means the port is open. If no response comes from port 80, it is filtered (e.g., by a firewall). Receiving RST from port 443 means it is closed. This scanning method is called a TCP SYN scan and is stealthy because it does not complete the full connection. The scan ends after checking all target ports and then shows a summary of which ports are open, closed, or filtered. This helps users understand what services are running on the target and find security weaknesses.

Practice

(1/5)
1. What is the primary purpose of using nmap in cybersecurity?
easy
A. To find open ports on a network device
B. To encrypt network traffic
C. To create firewalls
D. To monitor user activity

Solution

  1. Step 1: Understand what port scanning means

    Port scanning is the process of checking which ports on a device are open and listening for connections.

  2. Step 2: Identify Nmap's role

    Nmap is a tool designed to perform port scanning to find open ports and services on devices.

  3. Final Answer:

    To find open ports on a network device -> Option A

  4. Quick Check:

    Port scanning = Finding open ports [OK]
Hint: Nmap scans ports to find open network services [OK]
Common Mistakes:
  • Confusing port scanning with encryption
  • Thinking Nmap creates firewalls
  • Assuming Nmap monitors user activity
2. Which of the following is the correct basic syntax to scan a single IP address using Nmap?
easy
A. nmap -open 192.168.1.1
B. nmap scan 192.168.1.1
C. nmap --check 192.168.1.1
D. nmap -sS 192.168.1.1

Solution

  1. Step 1: Recall Nmap command structure

    Nmap commands start with 'nmap' followed by options and then the target IP.

  2. Step 2: Identify correct option for scanning

    The '-sS' option is a common scan type (TCP SYN scan) and is valid syntax.

  3. Final Answer:

    nmap -sS 192.168.1.1 -> Option D

  4. Quick Check:

    Correct Nmap scan syntax = nmap -sS 192.168.1.1 [OK]
Hint: Use 'nmap -sS <IP>' for a basic TCP SYN scan [OK]
Common Mistakes:
  • Using 'scan' as a command option
  • Using invalid options like '-open' or '--check'
  • Omitting the scan type option
3. What will be the result of running nmap -p 22,80 192.168.0.10?
medium
A. Scan ports 22 and 80 on 192.168.0.10
B. Scan all ports on 192.168.0.10
C. Scan ports 22 to 80 on 192.168.0.10
D. Scan only port 80 on 192.168.0.10

Solution

  1. Step 1: Understand the '-p' option in Nmap

    The '-p' option specifies which ports to scan. Comma-separated values mean specific ports.

  2. Step 2: Analyze the ports listed

    Ports 22 and 80 are explicitly listed, so only these two ports will be scanned.

  3. Final Answer:

    Scan ports 22 and 80 on 192.168.0.10 -> Option A

  4. Quick Check:

    '-p 22,80' means scan ports 22 and 80 [OK]
Hint: Comma lists in '-p' scan only those ports [OK]
Common Mistakes:
  • Assuming '-p 22,80' scans all ports
  • Thinking it scans a range from 22 to 80
  • Ignoring the port list format
4. Identify the error in this Nmap command: nmap -p 80-22 192.168.1.5
medium
A. IP address format is incorrect
B. Port range is reversed; should be 22-80
C. Missing scan type option
D. No error; command is correct

Solution

  1. Step 1: Check port range syntax

    Port ranges must be in ascending order, e.g., 22-80, not 80-22.

  2. Step 2: Verify other parts of the command

    The IP address format is correct, and scan type is optional; default scan works.

  3. Final Answer:

    Port range is reversed; should be 22-80 -> Option B

  4. Quick Check:

    Port ranges must ascend, not descend [OK]
Hint: Port ranges must go from smaller to larger number [OK]
Common Mistakes:
  • Using descending port ranges
  • Thinking IP format is wrong
  • Believing scan type is always required
5. You want to scan a network range from 192.168.1.1 to 192.168.1.254 for open HTTP ports (port 80) only. Which Nmap command should you use?
hard
A. nmap -p 80 192.168.1.0-254
B. nmap -p 80 192.168.1.1/24
C. nmap -p 80 192.168.1.1-192.168.1.254
D. nmap -p 80 192.168.1.0/24

Solution

  1. Step 1: Understand how to specify IP ranges in Nmap

    Nmap accepts explicit ranges like '192.168.1.1-192.168.1.254' to scan all addresses in that range.

  2. Step 2: Check port and target correctness

    Port 80 is specified correctly with '-p 80'. The range '192.168.1.1-192.168.1.254' covers all hosts from .1 to .254.

  3. Step 3: Evaluate other options

    nmap -p 80 192.168.1.0-254 scans from 192.168.1.0 to 192.168.1.254, including the unwanted network address .0. nmap -p 80 192.168.1.1/24 uses CIDR /24 which scans the entire subnet (.0 to .255). nmap -p 80 192.168.1.0/24 scans the entire subnet including .0 and .255.

  4. Final Answer:

    nmap -p 80 192.168.1.1-192.168.1.254 -> Option C

  5. Quick Check:

    Explicit IP range with '-p 80' = nmap -p 80 192.168.1.1-192.168.1.254 [OK]
Hint: Use full IP range for precise scanning [OK]
Common Mistakes:
  • Using shorthand range 192.168.1.0-254 (includes .0)
  • Confusing CIDR notation with explicit ranges
  • Including network address (.0) in scan